Will the “hot zero-day summer” we’ve been experiencing in 2023 become the new normal?
With 62 zero-day vulnerabilities exploited since January, 2023 is on track to reach, or even exceed, a pandemic record-high of 88 exploited zero-days in 2021.
According to Sandra Joyce, Mandiant’s head of global intelligence, the adversaries responsible for the most zero-day exploits this year are Chinese advanced persistent threat (APT) groups.
“Some of them have reached a level of sophistication that allows them to exploit a zero-day vulnerability in a few hours without getting detected – and sometimes it takes us, defenders, a long time to figure out how they did it,” she said during the Google Cloud’s Mandiant mWISE conference, held in Washington, DC from September 18 to 20, 2023.
Zero-Days Help Chinese APTs to Reach a Wider Range of Victims
His colleague Ben Read, head of cyber espionage analysis at Mandiant, added that Chinese state-sponsored threat actors have dominated the zero-day scene since at least the COVID period.
“Chinese hackers have been the top state-sponsored threat actors in terms of zero-day usage over the past three years,” he said.
According to Joyce, this is the result of a recent reorganization of the People's Liberation Army (PLA) and the Chinese Ministry of State Security (MSS), meaning that “China has put a greater focus on using cyber as an asymmetric capability.”
In practice, Joyce explained that this new focus means that Chinese APTs now mainly focus on multi-pronged malicious campaigns, each targeting a wide range of victims, sometimes with different purposes. Finding zero-day vulnerabilities and quickly exploiting them before patches are released and deployed allows them to reach more victims than a simple malware infection.
"Zero days cost a lot of money, but the pay-out is just so big that it's worth it for ransomware groups."John Hultquist, chief analyst, Mandiant Intelligence
“Take UNC4841, a Chinese threat group responsible for targeting the Barracuda email security gateway (ESG) appliances, which compromised hundreds of organizations around the world,” Joyce stated during her mWISE opening keynote speech.
“During this eight-month campaign, UNC4841 had been looking at 26 sector clusters of activity. A third of the targeted victims were traditional targets of cyber espionage (in government, aerospace, defense…) and a fifth were selected to propagate the compromise themselves, such as IT and tech companies. Finally, some victims were also from discreet, strategic areas of interest like chip manufacturing, manufacturing and finance.”
Furthermore, Chinese APT groups are no longer the only state-sponsored threat actors to leverage zero days.
Russian APTs frequently used zero-day exploits in 2022 to deploy wiper attacks and, more recently, at least one North Korean threat group has also actively exploited a zero-day vulnerability in a campaign targeting security researchers, a September 2023 Google Threat Analysis Group (TAG) report found.
Zero-Day Exploits to Blame for Ransomware Uptick
However, the second group most actively exploiting zero-days in 2023 are not Russian or North Korean APTs, but cyber-criminals.
Moderating an mWISE panel on zero-days, CNN cybersecurity reporter Sean Lyngaas commented: “The time where only people in the business of intelligence or espionage had to worry about zero-days is over.”
Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, agreed, saying that ransomware groups have also recently joined the zero-day gold rush.
“We certainly see an increase in the use of zero-days by ransomware actors. This year has seen nearly $500m worth of ransomware payments – a 50% year-on-year increase – which is in large part due to the deployment of zero-days in ransomware attacks,” she said.
The reasons for this can be diverse, from ransomware groups trying to find other ways to compromise their victims, whose willingness to pay the ransom is declining, to them getting more funding that allows them to purchase zero days.
According to John Hultquist, chief analyst at Mandiant Intelligence, the main reason is simpler than that: “Many ransomware groups realized that to scale their operations, nothing was better than exploiting one zero-day vulnerability in a product that sits on the edge of the network and that a lot of different organizations use – just like what FIN11 did with the MOVEit supply chain attack [while other security vendors attribute MOVEit to Clop, Mandiant claimed it was FIN11, which they track as a Clop affiliate].”
Listen: Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners
“Yes, zero-days cost a lot of money, but the pay-out is just so big – tens of millions of dollars – that it’s worth it for them,” he told Infosecurity.
With nearly all threat actors now increasingly leveraging zero days, it is very likely that the ‘hot zero-day summer’ will continue through fall and winter.
However, it’s not all doom and gloom for the cybersecurity community, said Maddie Stone, a security researcher at Google TAG, during mWISE.
“Adversaries need to exploit zero-days because we’ve enhanced our cybersecurity postures, which means that other intrusion techniques are not as efficient as they used to be,” she said.
“It is now time to improve these low-hanging fruits that have been oversighted for too long – security patches.”
Read more about mWISE: Chinese Cyber Power Bigger Than the Rest of the World Combined